Question : how to set up a gateway for a public wireless network with security to stop neighbours leeching on the weekends

BACKGROUND
In our organisation we have one internet connection that is sub netted into 2 sections. One section is for a small team of developers that work in what is a high risk environment (developing a corporate gateway in facebook, second life, etc). The second section is connected to an open wireless network inside the building that is for use by visitors that are doing training courses. This section is connected to 8 low end lynksys wap54g wireless access points spread into 3 channels and a bunch of repeaters via a lynksys sr216 switch (unprogrammable). The 'staff' section is securely separated from the 'public' section but needs to be accessed remotely by the staff members 24/7. The 'public' section is totally open and unsecured. As this is intended to be a resource that is available to all visitors, the wireless network is to be kept as easy for the visitors to use as possible - even with it being completely open in every way I still have 1-2 help desk calls per month from visitors that have trouble accessing it.

In case you're wondering, the main corporate network is on a physically different connection from this one, so there is zero risk to the main corporate network.

Recently a nearby leecher has begun taking advantage of the open network on the weekend. While I normally wouldn't mind, the leecher has gone from a couple of gigs on the weekend to over 10Gb - which has gone from making use of a public resource, to abusing it and ticking me off.

PROBLEM
What I'd like is advice and suggestions for how best to lock down the wireless network to shut down the leecher and their friends, while still keeping as much of the functionality of the wireless network for the visitors as possible.

LIMITS
1) From a management perspective, the most I'm allowed to lock down the users to is a simple password on a proxy server that cannot be changed more than once a week, and then it can only change on the weekends, and must be very simple for the unskilled end user to use. This rules out any wireless network keys.
2) Further, we have to allow the end users to connect to their own corporate networks as well, so that means allowing VPNs and encrypted data through the wireless network.
3) other than the switch and the wireless access points, I also have an old pc available that can be programmed to do any task you wish.
4) there is no equipment in that network that is able to log MAC addresses (otherwise this would be easy)

Any suggestions?

Answer : how to set up a gateway for a public wireless network with security to stop neighbours leeching on the weekends

For those that may find this, I solved the problem this way.

The ADSL modem was replaced with a Billion BIPAC7401 series ADSL 2+ modem/router. That modem has an internal firewall in it that selectively blocks all P2P connections. Using that has considerably reduced the traffic caused by the leecher without affecting the functionality for the other users on the network. I then programmed the 501 PIX firewall using the setup described by George Ou in this webpage - http://lanarchitect.net/Articles/Cisco/IOSRouter/index.htm and connected it between the switch on the wireless network and the ADSL modem. This gave a network setup that looks vaguely like this...

|----> Secure Firewall -----> High risk Developer's PC
Billion ADSL Modem |
|----> PIX 501 Firewall --> unmanaged switch --> multiple wireless points --> users

I then monitored the use of the wireless and blocked off favourite sites that the leecher was still accessing via HTTP and FTP. I could do this without affecting the availability of the network to other users and visitors as the leecher's favourite sites were mostly porn and file sharing sites.

This is not an ideal setup but it will do until I can get funding for a managed switch to lock off this guy's MAC address - but as this is a low priority thing for the company I work for, and now his usage has been cut significantly, it may not happen for a while.

Random Solutions

Calculating Bandwidth for ISP?

Remote VNC Installation | Welchia worm removal

ADM files for IE7 Group Policy

Wireless LAN Security: 802.1x or web-based authentication

How to code a MMS with img attachments?

Question about changing name servers

Exchange Hosting

Public ip address information

Domain controller behind firewall

Cisco ip sla monitor implementation